Govt Department should use Either NIC provided or own e-mail & web service

No. 2(103)/2014-CERT-InGovernment of IndiaMinistry of Communication & ITDepartment of Electronics and Information Technology

Electronics Niketan,New DelhiDated 27.11.2014

OFFICE MEMORANDUM

Subject: Advisory for use of email and web services in respect of compliance to the order of High Court of Delhi under Public Records Act, 1993

Internet has given the flexibility of accessing information from anywhere, any time through variety of techniques and technology be it computer system, mobile phone or Tablets. The email and the web services have emerged today as one of the most essential mode of communication between people to people, people to organizations and organizations to organizations. At the same time security risks have also increased while accessing information over the Internet through email or web as some of the adversaries have launched targeted attacks to steal or damage the information for different purposes and interests.

2. There are number of organizations in the country as well as outside the country providing email and web services to any person irrespective of the location. The National Informatics Centre (NIC) under Department of Electronics and Information Technology (DeitY) has hosted email and web hosting services in the country for use by employees of Government, be it Central or State Government, for government related communications and disseminating the information within government as well as outside the government. NIC has been quite liberal in creating the email and web accounts for Government employees both in the Central and State governments. They are also regularly engaged in strengthening the infrastructure both from the point of view of faster access and security.

3. It has been observed that a number of officials in the Ministries/Departments in the central and state government are using the private mail services particularly hosted and operated from outside India for official communications. Such official communications are government and also the public records. It is to mention that data pertaining to such emails and web services is stored by these service providers outside India and is fully under their control. At the time of any security breach incident or data loss it becomes very difficult to obtain data from those service providers apart from the possibility of leakage of information as they are controlled by the service providers outside the country.

4. The Section 4 of the Public Records Act, 1993 specifically prohibits against taking of public records out of India. The section 4 states as follows:

“Prohibition against taking of public records out of India – No person shall take or cause to be take out of India any public records without the prior approval of the central Government:

Provided that no such prior approval shall be required if any public records are taken or sent out of India for any official purpose.”

5. The High Court of Delhi in a writ petition W.P.(C) 3672/2012 K. N. Govindacharya versus Union of India has been particularly concerned with the official communications made through email and web using services provided by and from service providers outside the country.

6. Keeping in view the observations of the High Court of Delhi, the Public Records Act, 1993 and Data Privacy and the possibility of misusing/leaking of data exchanged using the email communications and web services provided by service providers outside the country, it is requested that the officials in your Ministry as well as organizations under the administrative control of the Ministry may be requested that:

All the Ministries/Departments of Central and State Governments should either use mail services provided by National Informatics Centre (NIC) or they should use their own e-mail and web services, being fully controlled by them and hosted in India for official communication. CERT-In security guidelines/advisories as issued time to time should be followed.